Hi all, I apologize for being a little off-topic, since this isn't directly caja-related, but I didn't know where else to look for the world's greatest javascript security experts.
I've hacked together a little javascript game called "ecmanomic" (played in the browser at http://ecmanomic.org ). I think it may interest some of you and I'm eager to hear your feedback on it. Ecmanomic is inspired by Peter Suber's game of Nomic, where each play of the game changes the rules of the game. There's a google group (cc'd) and a google code project as well, both called "ecmanomic". (This was a learning project for me since I didn't know anything about javascript at the beginning. So please excuse the terrible style and all the egregious mistakes I've no-doubt made.) Suber's Nomic was designed to model the legislative process, where there are layers of "security" that enforce a kind of self-paternalism. Similarly, in ecmanomic there are several layers of security that I've tried to implement in (almost) pure javascript. I'd like to know if any of you see a way to violate any of these layers. 1. The entire game is stored in a javascript object, serialized in a slightly-modified JSON. The game allows players to change the game object, but only in specific ways: e.g. proposing an amendment, voting on existing amendments, and activating an amendment with sufficient positive votes. Can you use these basic interactions to pervert the game object itself (for example, changing your player's score to 100)? (I'll give you 100 metaphorical points if you can.) 2. The game also has a small hosted database. I added this at the last minute so that it can maintain libraries of code which aren't part of the game proper (and thus don't slow down the page load). The database is stored in JSON flat files on a linux filesystem. The small bootstrap perl-script which is responsible for running the server-side JS also provides the game access to the files. However, the bootstrap script has no security; I've attempted to layer on some security from within the javascript game. Can you can subvert this security to gain unfettered read or write access to the database? (25 points for read, 50 points for write. If you could write, you could execute arbitrary code in the player's browser, but not in the serverside game; however this would be enough for dastardly deeds.) 3. Within the game of ecmanomic I've implemented a few little subgames. All of these involve eval() statements, as a test of how robust I could make the security. In the first game, CodeWriter, you submit a snippet of code which must evaluate to a function. Before evaluating your code, I pass it through some regexps looking for unsafe patterns. If your code is OK, your function enters the game arena and competes against other functions. Can you subvert this game and force yourself to win? (1 point if you can. Also 1 point each round you can come up with the cleverest function!) 4. Another subgame, much more ambitious, is called "Moo". In this game I allow persistence of user-created data and code, including a bastardized version of prototypical inheritance, and I allow users to interact with each others' objects and functions. The objects have "owner" fields that should restrict write-access. 1 point for you if you can change someone else's object without their permission. Also, to prevent DOS-style bloat attacks, each user has a limited budget of bytes to add to the game; the budget can only be refilled by another player who is impressed by your work. Half a point for anyone who can find a way circumvent this, but please don't demonstrate by filling the game up with spam! 5. Within the Moo subgame, there's yet another layer of security. I tried to create an in-subgame non-scarce currency called "props". The idea is that I can "depute" certain objects by name; these objects are authorized to give props on my behalf. There's an example in the Avatar lobby: a graffiti wall which will give you one props from me if you write on it. 0.5 points if you can violate this currency model, e.g. get more than 1 props from me or remove someone else's props. Anyway, if you feel inclined to take a look at the game in your copious free time, I'd love to hear what you think of it, either here or on the ecmanomic newsgroup. All criticism will be graciously accepted! (I already know that the user interface is not very good, but one beauty of the game is that any player can improve the interface for everyone, so feel free to jump in and help out!) Cheers, --Adam
